Content
Downloader-BFX
- Type
- Trojan
- SubType
- Downloader
- Discovery Date
- 11/19/2007
- Length
- 37376
- Minimum DAT
- 5167 (11/20/2007)
- Updated DAT
- 5167 (11/20/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 11/19/2007
- Description Modified
- 11/20/2007 6:19 AM (PT)
Tab Navigation
Characteristics
Detection was added to cover against a downloader file called "foto2007.exe" , having a filesize of 37.376 bytes decimal.
The file is internally compressed with the pklite32 packer.
The file is written using the Borland Delphi development tool.
Upon manual execution , it immediately connects to remote sites to download further files from.
- BSYYS.exe , filesize 234.496 bytes
- IMGLOG.exe , filesize 1.075.200 bytes , both of these files are packed with pklite32 and made using Delphi , the aim for these files is to capture user info such as passwords.
A temporary file is created called PONTO.dll this is no real .dll but an asci - text file. Another remnant file is called "megatron.ini"
It also downloads a file called
- PIRATA.jpg, having a filesize of 22.528 bytes, the file is not internally compressed with a packer, the file seems to be a renamed regular file (of 32 bit pe .exe filetype).
File locations for example on a win2000 system:
- c:\Documents and Settings\All Users\Start Menu\Programs\Startup\bsyys.scr , size: 234.496 bytes
- c:\Documents and Settings\All Users\Start Menu\Programs\Startup\imglog.exe , size: 1.075.200 bytes
- c:\WINNT\pirata.jpg, size: 22.528 bytes
- c:\WINNT\ponto.DLL , size: 397 bytes
- c:\WINNT\system32\bsyys.scr , size: 234.496 bytes
- c:\WINNT\system32\imglog.exe , size: 1.075.200 bytes
- c:\WINNT\system32\MEGATRON.ini , size: 0 bytes
Deceiving registry changes are made so that the malware gets executed automatically upon system start, for example on a win2000 system:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "symanteccsysconf"
Data: C:\WINNT\system32\bsyys.scr - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SymantecFilterCheck"
Data: C:\WINNT\system32\imglog.exe
It might try to connect to:
- unix.ru###.org
- http://64.211.##.210/wecham2007/
- http://208.75.###.43/assinante/
The exact addresses are omitted on purpose here using # markings
Symptoms
Presence of the mentioned files with matching filesizes
Unexpected connections to:
- unix.ru###.org
- http://64.211.##.210/wecham2007/
- http://208.75.###.43/assinante/
The exact addresses are omitted on purpose here using # markings
Method of Infection
Manual infection - there's no exploit associated with it.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
Detection was added to cover against a downloader file called "foto2007.exe" , having a filesize of 37.376 bytes decimal.
Aliases
- downloader.win32.agent.eys (avp)
- downloader:win32/small.gen!v (msmp)
Characteristics
Characteristics -
Detection was added to cover against a downloader file called "foto2007.exe" , having a filesize of 37.376 bytes decimal.
The file is internally compressed with the pklite32 packer.
The file is written using the Borland Delphi development tool.
Upon manual execution , it immediately connects to remote sites to download further files from.
- BSYYS.exe , filesize 234.496 bytes
- IMGLOG.exe , filesize 1.075.200 bytes , both of these files are packed with pklite32 and made using Delphi , the aim for these files is to capture user info such as passwords.
A temporary file is created called PONTO.dll this is no real .dll but an asci - text file. Another remnant file is called "megatron.ini"
It also downloads a file called
- PIRATA.jpg, having a filesize of 22.528 bytes, the file is not internally compressed with a packer, the file seems to be a renamed regular file (of 32 bit pe .exe filetype).
File locations for example on a win2000 system:
- c:\Documents and Settings\All Users\Start Menu\Programs\Startup\bsyys.scr , size: 234.496 bytes
- c:\Documents and Settings\All Users\Start Menu\Programs\Startup\imglog.exe , size: 1.075.200 bytes
- c:\WINNT\pirata.jpg, size: 22.528 bytes
- c:\WINNT\ponto.DLL , size: 397 bytes
- c:\WINNT\system32\bsyys.scr , size: 234.496 bytes
- c:\WINNT\system32\imglog.exe , size: 1.075.200 bytes
- c:\WINNT\system32\MEGATRON.ini , size: 0 bytes
Deceiving registry changes are made so that the malware gets executed automatically upon system start, for example on a win2000 system:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "symanteccsysconf"
Data: C:\WINNT\system32\bsyys.scr - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SymantecFilterCheck"
Data: C:\WINNT\system32\imglog.exe
It might try to connect to:
- unix.ru###.org
- http://64.211.##.210/wecham2007/
- http://208.75.###.43/assinante/
The exact addresses are omitted on purpose here using # markings
Symptoms
Symptoms -
Presence of the mentioned files with matching filesizes
Unexpected connections to:
- unix.ru###.org
- http://64.211.##.210/wecham2007/
- http://208.75.###.43/assinante/
The exact addresses are omitted on purpose here using # markings
Method of Infection
Method of Infection -
Manual infection - there's no exploit associated with it.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
